Key Points for Configuring PBR

This section describes how to configure PBR.

Context

After the PBR intelligent uplink selection is configured, subsequent traffic that passes through the FW will be forwarded on the basis of link selection policies. For earlier traffic, the session is not aged. Therefore, such traffic is not immediately forwarded on the basis of link selection policies. You can run the reset firewall session table command to manually clear the session entry or wait until the session ages.

The service will be interrupted after you clear the session entry. Therefore, exercise caution when you perform this operation. You can clear the session entry only after you confirm that services will not be affected.

Procedure

Configure matching conditions of PBR rules and specify the traffic for which PBR is to be performed.
Configure single-egress PBR actions.
1. Configure an outbound interface and the next hop.
2. (Optional) Enable PBR to interwork with IP-link or BFD and enable the FW to determine the validity of PBR based on IP-link or BFD status.
Configure multi-egress PBR actions. For examples of configuring multi-egress PBR, see ISP Link Selection by ISP Routes.

This section describes only the configurations of each intelligent uplink selection mode. For configurations of interfaces, see Key Points for Configuring the Global Route Selection Policy.
1. Set the uplink selection mode for policy-based routes.
2. Add intelligent uplink selection member interfaces.
3. (Optional) Enable the overload protection function.
4. (Optional) Specify the health check and link quality indicator, and check whether the quality of the link for the outbound interface meets the link quality requirements.
5. (Optional) Configure the sticky session function.
6. (Optional) Set the parameter for intelligent uplink selection hashing.
Configure other PBR actions.

Matching Conditions of a PBR Rule

Operation	Command	Description
Access the system view	system-view	-
create a PBR policy and access its view	policy-based-route	-
Create a PBR rule and access its view	rule name rule-name	-
(Optional) Configure the description for the PBR rule	description text	The description helps an administrator correctly understand functions of a PBR rule, facilitating query and maintenance of the PBR rule.
(Optional) Configure a tag for the policy	add tag tag-name	After policies reference tags, you can query policies based on tags and delete, move, enable, or disable policies in batches based on query results. For the tag description and configuration, see Tag.
Enable PBR rules to divert traffic.	enable	By default, PBR rules are enabled.
Set the matching conditions of the PBR rule NOTE: Either the source security zone or incoming interface must be specified as the matching condition. If you specify both, the latest configuration overwrites the previous configuration. The source IP address, destination IP address, service type, application type, effective duration, DSCP value and user are optional. You can select them as required.
Source security zone or incoming interface	source-zone zone-name&<1-6> ingress-interface { interface-type interface-number }&<1-6>	NOTE: Apart from physical interfaces, the FW supports four types of logical interface as the incoming interface, namely, the VLANIF interface, Ethernet subinterface, Eth-Trunk interface, and loopback interface. When the incoming interface is set to the VLANIF interface, PBR is implemented on the specified VLAN. When the incoming interface is set to the Ethernet subinterface, PBR is implemented on the traffic of the specified subinterface. When the incoming interface is set to the Eth-Trunk interface, PBR is implemented on the traffic from the specified Eth-Trunk link.
Source IP address	source-address { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } [ description description ] \| ipv6-address ipv6-prefix-length [ description description ] \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } [ description description ] \| mac-address &<1-6> \| isp isp-name &<1-6> \| domain-set domain-set-name &<1-6> \| any } source-address-exclude { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } \| ipv6-address ipv6-prefix-length \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } } [ description description ]	-
Destination IP address	destination-address { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } [ description description ] \| ipv6-address ipv6-prefix-length [ description description ] \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } [ description description ] \| mac-address &<1-6> \| isp isp-name &<1-6> \| domain-set domain-set-name &<1-6> \| any } destination-address-exclude { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } \| ipv6-address ipv6-prefix-length \| range { ipv4-start-address ipv4-end-address \| ipv6-start-address ipv6-end-address } } [ description description ]	-
User	user { username user-name &<1-6> \| user-group user-group-name &<1-6> \| security-group security-group-name &<1-6> \| any }	-
Service type (by referencing a service or service group).	service { service-name&<1-6> \| any } service-exclude service-name &<1-6>	-
Service type (by referencing a TCP/UDP/SCTP port or IP-layer protocol).	service protocol { { 17 \| udp } \| { 6 \| tcp } \| { 132 \| sctp } } [ source-port { source-port \| start-source-port to end-source-port } &<1-64> \| destination-port { destination-port \| start-destination-port to end-destination-port } &<1-64> ] ^* service protocol { 1 \| icmp } [ icmp-type { icmp-name \| icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service protocol { 58 \| icmpv6 } [ icmpv6-type { icmpv6-name \| icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service protocol protocol-number service-exclude protocol { { 17 \| udp } \| { 6 \| tcp } \| { 132 \| sctp } } [ source-port { source-port \| start-source-port to end-source-port } &<1-64> \| destination-port { destination-port \| start-destination-port to end-destination-port } &<1-64> ] ^* service-exclude protocol { 1 \| icmp } [ icmp-type { icmp-name \| icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ] service-exclude protocol { 58 \| icmpv6 } [ icmpv6-type { icmpv6-name \| icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ] service-exclude protocol protocol-number	-
Application type	application { any \| app app-name &<1-6> \| app-group app-group-name &<1-6> \| category category-name [ sub-category sub-category-name &<1-6> ] \| label label-name &<1-6> \| software software-name &<1-6> }	-
Effective duration of PBR	time-range time-range-name	-
DSCP values of packets	dscp dscp-value	-

Configuring Single-Egress PBR Actions

Operation	Command	Description
Configure an outbound interface and the next hop.	action pbr { egress-interface interface-type interface-number [ next-hop ip-address ] \| next-hop ip-address }	NOTE: If the outgoing interface connects to a non-P2P network, the interface may connect to multiple network devices. In this case, the next hop must be specified to ensure route correctness.
(Optional) Enable PBR to interwork with IP-link or BFD and enable the FW to determine the validity of PBR based on IP-link or BFD status.	track { ip-link link-id \| bfd-session bfd-session-id }	NOTE: A PBR rule can interwork with either IP-link or BFD. Before you enable PBR to interwork with IP-link, create IP links. For details, see Configuring IP-Link Using the CLI. Before you enable PBR to interwork with BFD, create BFD sessions. For details, see Configuring Static BFD. If IP-link or BFD is configured and detects that the next hop is unreachable, the FW forwards the packet based on the route table.

Configuring Multi-Egress PBR Actions

Create a PBR rule and access the multi-egress view of the rule
action pbr egress-interface multi-interface

Set the uplink selection mode for policy-based routes.

mode { priority-of-link-quality | priority-of-userdefine | proportion-of-bandwidth | proportion-of-weight }

The intelligent uplink selection mode determines the standard of link selection. The global route selection policy supports four link selection modes:

Intelligent Uplink Selection Mode	Command	Description
Load balancing by link bandwidth	mode proportion-of-bandwidth	The FW forwards traffic to each link based on the link bandwidth ratio.
Load balancing by link quality	mode priority-of-link-quality	The FW tunes traffic distribution dynamically based on real-time traffic transmission quality. You can use packet loss ratio, delay, and/or jitter to evaluate the traffic transmission quality of a link to select the link with the best quality for traffic forwarding.
Load balancing by link weight	mode proportion-of-weight	The FW forwards traffic to each link based on the link weight ratio. Load balancing by link weight is the default intelligent uplink selection mode.
Active/Standby backup by link priority	mode priority-of-userdefine	The FW preferentially use the link with the highest priority to transmit traffic and all the other links as backup links or load balancing links.

Perform the following configurations when the link selection mode is load balancing by link quality:

Operation	Command	Description
Set a protocol type for link quality detection packets	priority-of-link-quality protocol { icmp \| tcp-simple }	The default protocol type of link quality detection packets is tcp-simple.
Set quality parameters for link quality probing	priority-of-link-quality parameter { delay \| jitter \| loss } ^*	The default quality parameter for link quality probing is packet loss ratio (loss).
Set the number of probes and interval of link quality detection	priority-of-link-quality { interval interval \| times times } ^*	By default, the detection interval (interval) is 5 seconds, and the number of probes (times) is 3.
Set the mask length for link quality detection	priority-of-link-quality mask mask-length	By default, the mask length is 16. After you run the mode command to set the mode of intelligent uplink selection to load balancing by link quality, you can run the priority-of-link-quality mask command sets the mask length. The configuration takes effect globally. That is, intelligent uplink selection for all policy-based routes uses this mask length. After completing link quality detection for a certain destination IP address, the device considers the detection result as the link quality of the destination subnet. The destination subnet is determined by the destination IP address and the mask length specified in the command. You can run the display priority-of-link-quality table command to display the destination IP address and mask length. In link quality detection, a destination IP address can represent all IP addresses in the destination subnet. You can expand or narrow down the subnet range based on the actual condition. The default value is recommended.
Set the aging time of link quality detection entries	priority-of-link-quality table aging-time aging-time	By default, the aging time is 1800 seconds.

Add intelligent uplink selection member interfaces.

add { interface interface-type interface-number | interface-group { interface-group-name | isp isp-name } } [ priority priority | weight weight ] ^*

The FW selects outbound interfaces from only intelligent uplink selection member interfaces. You need to set related parameters for the member interfaces based on the specified intelligent uplink selection mode.

Operation	Command	Description
Bandwidth and overload protection threshold for the member interfaces	The interface bandwidth and overload protection threshold have been configured during interface configuration.	When you set the intelligent uplink selection mode to load balancing by link bandwidth, you need to set bandwidth for the member interfaces. To implement interface overload protection, you also need to set the overload protection threshold. When the link bandwidth usage reaches the threshold, the FW will no longer use the link for traffic transmission, but uses a link that is not overloaded.
Member interface weight	add { interface interface-type interface-number \| interface-group { interface-group-name \| isp isp-name } } weight weight	When you set the intelligent uplink selection mode to load balancing by link weight, you need to set weight for the member interfaces. If you do not set the weight, the default weight is 1.
Member interface priority	add { interface interface-type interface-number \| interface-group { interface-group-name \| isp isp-name } } priority priority	When you set the intelligent uplink selection mode to active/standby backup by link priority, you need to set priority for the member interface. If you do not set the priority, the default priority is 1.

(Optional) Enable the overload protection function.
overload protection enable

By default, overload protection is enabled for intelligent uplink selection.

When the bandwidth usage and overload protection threshold are specified on an intelligent uplink selection member interface, if the bandwidth usage of a link reaches the overload protection threshold, the FW excludes the overloaded link and selects routes from unoverloaded links. When a link is overloaded, new sessions need to be switched to another link, affecting service experience. The FW supports the use of the undo overload protection enable command to disable the link overload protection function. In this case, the link is not switched even if it is overloaded.
(Optional) Specify the health check and link quality indicator.
healthcheck healthcheck-name sla sla-name

A health check object is created using the healthcheck name command. A link quality indicator is created using the sla name command.

Link quality detection depends on the health check. If more intelligent route selection is required based on the link delay, jitter, and packet loss rate, you need to reference a health check object and link quality indicator in the route selection policy. Referencing the health check on a route selection member interface can detect only the connectivity of the interface link.

After health check and link quality indicator objects are referenced in a global routing policy or multi-ISP policy-based route, the FW checks whether the link quality (delay, jitter, and packet loss rate) meets the quality requirements of link quality indicators in real time. The links that do not meet the requirements are not allowed to participate in intelligent uplink selection until their link quality meets the requirements.

(Optional) Configure the sticky session function.

Operation	Command	Description
Enable the sticky session function	session persistence enable	By default, the sticky session function is disabled for intelligent uplink selection. NOTICE: After the sticky session function is disabled, the FW immediately deletes all sticky session entries of the corresponding intelligent route selection policy, which may cause link switchover for some users. Therefore, exercise with caution. When a link involved in intelligent uplink selection is down, the sticky session entry of the link is immediately aged out, and the FW selects a normal link for subsequent traffic.
Configure the sticky session mode	session persistence mode { source-ip \| destination-ip } ^*	The default sticky session mode is source-ip. NOTICE: After the sticky session mode is changed, the FW immediately deletes all sticky session entries of the intelligent uplink selection policy. which may cause link switchover for some users. Therefore, exercise with caution.
Set the source or destination subnet mask length	session persistence source-ip mask mask-length session persistence destination-ip mask mask-length	The default source subnet mask length is 32 bits, and default destination subnet mask length is 16 bits. NOTICE: After you modify the source or destination subnet mask length, the FW deletes all existing sticky session entries, which may cause link switchover for some users. Therefore, exercise with caution.
Set the aging time of sticky session entries	session persistence table aging-time aging-time	The default aging time of sticky session entries is 300 seconds. If a sticky session entry is not matched by any session during the aging time period, the entry is aged out.

(Optional) When the intelligent uplink selection mode is load balancing based on link bandwidth or link weight, set the parameter for intelligent uplink selection hashing.
load-balance flow hash { destination-ip | destination-port | source-ip | source-port } ^*

The default hash input for intelligent uplink selection is source IP address (source-ip). If traffic on the outbound interface is uneven, adjust the hash mode.

When the intelligent uplink selection mode is load balancing based on link bandwidth or link weight, and multiple outbound interfaces are available for intelligent uplink selection, the FW will select one of the interfaces as the outbound interface based on the hash result. For example, when the intelligent uplink selection mode is load balancing by link bandwidth and the links of the two interfaces have the same bandwidth and are both not overloaded, the FW will select one of the interfaces as the outbound interface based on the hash result.

Configuring Other PBR Actions

action { pbr vpn-instance vpn-instance-name | no-pbr }

vpn-instance vpn-instance-name indicates that traffic is forwarded to other virtual systems based on PBR.
no-pbr indicates that PBR is not performed and traffic is forwarded based on the existing routing table.
no-pbr applies to certain scenarios. For example, to implement PBR on subnet 10.1.1.0/24 except 10.1.1.2, configure a rule with a higher priority to implement no-pbr on 10.1.1.2 first and then another rule with a lower priority to implement pbr on subnet 10.1.1.0/24.

Enable or Disable PBR rules

Run the enable command to enable the PBR rule. Run the disable command to disable the PBR rule.